Skip to content

Commit

Permalink
Security update addressing stored xss
Browse files Browse the repository at this point in the history
  • Loading branch information
@kylephillips
kylephillips committed Dec 13, 2024
1 parent ab08140 commit 9029e7a
Show file tree
Hide file tree
Showing 4 changed files with 12 additions and 9 deletions.
2 changes: 1 addition & 1 deletion app/NestedPages.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ public static function init()
$np_env = 'live';

global $np_version;
$np_version = '3.2.9';
$np_version = '3.2.10';

if ( is_admin() ) $app = new NestedPages\Bootstrap;
if ( !is_admin() ) $app = new NestedPages\FrontEndBootstrap;
Expand Down
14 changes: 7 additions & 7 deletions app/Views/settings/partials/nav-menu-settings.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@
?>
<button class="button button-small details-button" data-np-remove-separator-button><?php _e('Remove', 'wp-nested-pages'); ?></button>
<?php else : ?>
<input type="text" name="nestedpages_admin[nav_menu_options][<?php echo $role['name']; ?>][<?php echo $item_data['id']; ?>][label]" value="<?php if ( $item_data['custom_label'] ) echo $item_data['custom_label']; ?>" placeholder="<?php esc_html_e($item_data['original_text']); ?>" class="menu-title-field" />
<input type="text" name="nestedpages_admin[nav_menu_options][<?php echo $role['name']; ?>][<?php echo $item_data['id']; ?>][label]" value="<?php if ( $item_data['custom_label'] ) echo esc_attr($item_data['custom_label']); ?>" placeholder="<?php esc_html_e($item_data['original_text']); ?>" class="menu-title-field" />
<button class="button button-small details-button" data-np-extra-options-button><?php _e('Details', 'wp-nested-pages');?></button>
<?php endif; ?>
</p>
Expand All @@ -63,11 +63,11 @@
<div class="np-extra-options" data-np-extra-options>
<div class="half">
<label><?php _e('Icon CSS Class', 'wp-nested-pages'); ?> <em>(<a href="https://developer.wordpress.org/resource/dashicons/#admin-site" target="_blank"><?php _e('Reference', 'wp-nested-pages'); ?></a>)</em></label>
<input type="text" name="nestedpages_admin[nav_menu_options][<?php echo $role['name']; ?>][<?php echo $item_data['id']; ?>][icon]" value="<?php if ( $item_data['custom_icon'] ) echo sanitize_text_field($item_data['custom_icon']); ?>" placeholder="<?php echo sanitize_text_field($item_data['original_icon']); ?>" />
<input type="text" name="nestedpages_admin[nav_menu_options][<?php echo $role['name']; ?>][<?php echo $item_data['id']; ?>][icon]" value="<?php if ( $item_data['custom_icon'] ) echo esc_attr(sanitize_text_field($item_data['custom_icon'])); ?>" placeholder="<?php echo sanitize_text_field($item_data['original_icon']); ?>" />
</div><!-- .half -->
<div class="half right" style="display:none;">
<input type="hidden" name="nestedpages_admin[nav_menu_options][<?php echo $role['name']; ?>][<?php echo $item_data['id']; ?>][link]" value="<?php echo $item_data['original_link']; ?>">
<input type="hidden" name="nestedpages_admin[nav_menu_options][<?php echo $role['name']; ?>][<?php echo $item_data['id']; ?>][original_link]" value="<?php echo $item_data['original_link']; ?>">
<input type="hidden" name="nestedpages_admin[nav_menu_options][<?php echo $role['name']; ?>][<?php echo $item_data['id']; ?>][link]" value="<?php echo esc_attr($item_data['original_link']); ?>">
<input type="hidden" name="nestedpages_admin[nav_menu_options][<?php echo $role['name']; ?>][<?php echo $item_data['id']; ?>][original_link]" value="<?php echo esc_attr($item_data['original_link']); ?>">
</div>
</div><!-- .np-extra-options -->
<?php endif; ?>
Expand All @@ -90,9 +90,9 @@
</div>
<div class="title"><p><?php echo $label; ?></p></div>
<div class="hide-checkbox">
<input type="hidden" name="nestedpages_admin[nav_menu_options][<?php echo $role['name']; ?>][<?php echo $item_data['id']; ?>][submenu][<?php echo $si; ?>][label]" value="<?php echo $label; ?>" />
<input type="hidden" name="nestedpages_admin[nav_menu_options][<?php echo $role['name']; ?>][<?php echo $item_data['id']; ?>][submenu][<?php echo $si; ?>][role]" value="<?php echo $role_name; ?>" />
<input type="hidden" name="nestedpages_admin[nav_menu_options][<?php echo $role['name']; ?>][<?php echo $item_data['id']; ?>][submenu][<?php echo $si; ?>][link]" value="<?php echo $link; ?>" />
<input type="hidden" name="nestedpages_admin[nav_menu_options][<?php echo $role['name']; ?>][<?php echo $item_data['id']; ?>][submenu][<?php echo $si; ?>][label]" value="<?php echo esc_attr($label); ?>" />
<input type="hidden" name="nestedpages_admin[nav_menu_options][<?php echo $role['name']; ?>][<?php echo $item_data['id']; ?>][submenu][<?php echo $si; ?>][role]" value="<?php echo esc_attr($role_name); ?>" />
<input type="hidden" name="nestedpages_admin[nav_menu_options][<?php echo $role['name']; ?>][<?php echo $item_data['id']; ?>][submenu][<?php echo $si; ?>][link]" value="<?php echo esc_attr($link); ?>" />
<input type="hidden" name="nestedpages_admin[nav_menu_options][<?php echo $role['name']; ?>][<?php echo $item_data['id']; ?>][submenu][<?php echo $si; ?>][order]" value="<?php echo $si; ?>" data-np-submenu-order>
<?php if ( $link !== 'nested-pages-settings' ) : ?>
<input type="checkbox" name="nestedpages_admin[nav_menu_options][<?php echo $role['name']; ?>][<?php echo $item_data['id']; ?>][submenu][<?php echo $si; ?>][hidden]" value="true" data-nestedpages-admin-nav-item-checkbox <?php if ( $hidden_sub ) echo 'checked'; ?>/>
Expand Down
2 changes: 1 addition & 1 deletion nestedpages.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
Plugin Name: Nested Pages
Plugin URI: http://nestedpages.com
Description: Provides an intuitive drag and drop interface for managing pages in the Wordpress admin, while enhancing quick edit. Includes an auto-generated menu to match the nested interface, support for all post types and more.
Version: 3.2.9
Version: 3.2.10
Tested up to: 6.7
Author: Kyle Phillips
Author URI: https://github.com/kylephillips
Expand Down
3 changes: 3 additions & 0 deletions readme.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,9 @@ No. The menu synchronization currently only works within the pages post type.

== Changelog ==

= 3.2.10 =
* Security update addressing XSS code vulnerability

= 3.2.9 =
* Security update addressing XSS code vulnerability (Thanks to Artyom Krugov from CleanTalk and Animesh Gaurav from Automaticc)

Expand Down

0 comments on commit 9029e7a

Please sign in to comment.